Go-bag or go home: Incident Response

5 June 2019

Thinking about a career in Incident Response? You’ll soon discover that your go-bag (kit-bag, tech kit, tool-kit – some even refer to it as just a bag) will become one of the most important things you own. We spoke with Waldo Woch, Associate Incident Response Consultant at MWR, and asked him “What’s in your go-bag?”

Although there’s no one-size-fits-all answer, there are a few key items that you might want to consider. After all, time is of the essence when a breach has been detected, so you need to make sure you’ve got the essentials to collect and examine those all-important artefacts.

Speed is essential in Incident Response

Real-time analysis is critical to responding effectively to an incident. It could be that the client has tooling in place that helps identify attacks but, if they don’t or the attacker gets past it, you could be dealing with an attacker that’s been in the system for months, maybe even years.

So the last thing you need is to turn up to an incident unprepared. Speaking to Waldo, we found out what he carries in his bag, what he hopes to add to it in the future, and what advice he has for those just starting out.

No two go-bags are the same

Knowing what’s in your bag, why it’s there, and what you can do with it (something that’s not always as obvious as you’d think) is vital. It can be the difference between spending an entire day imaging a single machine in case of issues, or just a few hours.

“We have a defined baseline by our Standard Operating Policy (SOP) that’s reviewed monthly and then we can extend it as we see useful,” explains Waldo. “So we’ll have that inside our large pelican case (it’s reinforced), along with any equipment we personally consider useful or have found useful in the past.”

In terms of items you wouldn’t find in every go-bag, it’s probably his SD/MicroSD cards. Waldo says, “They came in handy when I tried to help a friend of mine recover some data in the past – they hadn’t been too kind to their USB ports so connectivity was a bit dodgy. Although this is unlikely to be the case in 99% of professional engagements, I keep them in my bag, just in case. Given how small they are, it’s not too much to add and I’ll be prepared for anything then.”

Your go-bag will change over time

When Waldo first started out in IR, his bag was essentially a few loose cables in addition to the SOP. Then it became a bag with at least one of every type of USB cable and a boatload of USB sticks, simply because they always proved useful – even if it was just because people would forget to bring their phone charging cables.

Now it’s become less of a go-bag and more of a go-case. Partly because of the safety a reinforced case offers but also because Waldo is always adding to his case when something proves its worth. So what’s the last thing he added and why?

“I recently added a new USB-C with 5 USB ports and 3 SD card slots because I tend to run out of USB ports. And when working with a bunch of disks and other things that use USB for power/data transfer, you need a lot of them.”

3 key items and their use cases

All Incident Responders have their own unique go-to tools that they couldn’t live without. For Waldo, these are the USB-C hub and SSDs. To give us an idea as to why they’re so special, he provided us with some use cases.

USB Sticks – These have various Operating Systems on them (Linux, Windows Forensic Edition), as well as Operating System images. They’re pretty useful when you can’t use a writeblocker for various reasons, like encrypted drives.

USB-C Hub – It’s amazing for connectivity!

SSDs – Great for storage, which IR uses a lot of, since entire laptops are captured onto them for evidence. And in some cases, multiple laptops are captured.

Advice for a junior IR consultant

We couldn’t let Waldo go without asking if he had any advice or tips for Comp Sci students looking to pursue a career in IR. Quite simply, he says, “Don’t be afraid to experiment. Make sure you have your trusted equipment to use, but in case of backups it can be a case of anything goes (within reason – we’re still trying to capture forensically sound evidence and anything too drastic could result in the evidence being contaminated).”

We’re always looking for passionate people to join us – click here to find out more about working at MWR.

MWR InfoSecurity provide specialist advice and solutions in all areas of cyber security, from professional and managed services, through to developing commercial and open source security tools. More about MWR.